1 Hitachi ID Identity Manager. 2 Agenda. 3 Corporate. Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Transcription

1 1 Hitachi ID Identity Manager Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications Manage identities, accounts, groups and roles: Automation, requests, approvals, reviews, SoD and RBAC. 2 Agenda Corporate Hitachi ID Identity Manager Recorded Demos Technology Implementation Differentiation 3 Corporate 2018 Hitachi ID Systems, Inc. All rights reserved. 1

2 3.1 Hitachi ID corporate overview Hitachi ID delivers access governance and identity administration solutions to organizations globally. Hitachi ID IAM solutions are used by Fortune 500 companies to secure access to systems in the enterprise and in the cloud. Founded as M-Tech in A division of Hitachi, Ltd. since Over 1200 customers. More than 14M+ licensed users. Offices in North America, Europe and APAC. Global partner network. 3.2 Representative customers 2018 Hitachi ID Systems, Inc. All rights reserved. 2

3 3.3 Hitachi ID Suite 4 Hitachi ID Identity Manager 4.1 Compliance / internal controls Challenges Slow and unreliable deactivation when people leave. Orphan and dormant accounts. Users with no-longer-needed access. Access that violates SoD policies or represents high risk. Unreliable approvals for access requests. Audit failures and regulatory risk. Solutions Automate deactivation based on SoR (HR). Review and remediate excessive access (certification). Block requests that would violate SoD. Analyze entitlements to find policy violations, high risk users. Automatically route access requests to appropriate stake-holders Hitachi ID Systems, Inc. All rights reserved. 3

4 4.2 Access administration cost Challenges Multiple FTEs required to setup, deactivate access. Additional burden on platform administrators. Audit requests can add significant strain. Solutions Automate access setup, tear-down in response to changes in systems of record (SoRs). Simple, business-friendly access request forms. Route requests to authorizers automatically. Automate fulfillment where possible. Help auditors help themselves: With certification, auditors focus on process, not entitlements. Reports and analytics. 4.3 Access changes take too long Challenges Approvers take too long. Too many IT staff required to complete approved requests. Service is slow and expensive to deliver. Solutions Automatically grant access: Where predicted by job function, location,... Eliminate request/approval process where possible. Streamline approvals: Automatically assign authorizers, based on policy. Invite participants simultaneously, not sequentially. Enable approvals from smart-phone. Pre-emptively escalate when stake-holders are out of office. Automate fulfillment where possible Hitachi ID Systems, Inc. All rights reserved. 4

5 4.4 Access requests are too complicated Challenges Requesting access is complex: Where is the request form? What access rights do I need? How do I fill this in? Who do I send it to, for approval? Complexity creates frustration. Solutions Auto-assign access when possible. Simplify request forms. Intercept "access denied" errors: Navigate lead users to appropriate request forms. Compare entitlements: Help requesters select entitlements. Compare recipient, model user rights. Select from a small set of differences. Automatically assign authorizers based on policy. 4.5 Too many groups Challenges Too many security groups and mail distribution lists. Groups represent business functions but are only manageable by IT. Hard to tell whether membership and access are appropriate. Assigning privileges is complex and costly. Groups and memberships persist long after needed. Solutions Empower business users to create, manage groups directly. Apply policy to requests, naming, metadata. Make groups and memberships temporary where possible. Calculate group membership where there is supporting data. Use request/approval and review/revoke workflows to clean up. Apply analytics to find too-small, too-large, overlapping, etc. 5 Features 2018 Hitachi ID Systems, Inc. All rights reserved. 5

6 5.1 HiIM features Accounts and groups: Create, manage and delete accounts on groups across systems. Update attributes and assign/revoke group memberships. Automation: Monitor one or more systems of record (SoR). Generate requests to grant, revoke access. Request portal: Users can request for themselves or others. Access control model limits visibility, requestability. Certification: Initiated by the system (event, schedule). Stake-holders review identities, entitlements. Generates deprovisioning requests. Workflow: Invite authorizers, implementers, certifiers to act. Built-in reminders, escalation, delegation and more. Selects participants via policy, not flow-charts. Policies, controls: RBAC, SoD. Risk scores, analytics. Approvals, recertification. Integrations: 120+ bidirectional connectors, included. Manage resources including mail boxes, home directories and badges. Incident management, SIEM, , 2FA. Manage building access, physical assets Hitachi ID Systems, Inc. All rights reserved. 6

7 5.2 HiIM data flow Inputs Monitor SoRs (automation). Systems and apps - current state. Request portal: Self-service. Delegated. Access admin. Web services API. Policies Segregation of duties. Risk scores. Role based access control. Authorizer, certifier selection. Visibility / privacy protection. Processes Request forms. Approval workflows. Access certification. Manual fulfillment. Analytics. Outputs Manage accounts and groups via 120 connectors. . Create/update/close tickets. Send events to SIEM. 5.3 Identity and entitlement lifecycle automation Using Hitachi ID Identity Express, we recommend full automation of identity and entitlement lifecycles out of the gate: Joiners, movers, leavers processes. Password management, strong authentication and federation. Change requests, approval, review/certification. Driven by both SoR data and requests. No need to "clean up" entitlements before automating access changes. Roles can be added later: not a pre-requisite. Automate first, clean up afterwards: Unlike with competitors, automation is pre-configured and easy. Start with basic integrations, add connectors over time. Leverage automation and user knowledge to help clean up. Add roles and expand automation over time Hitachi ID Systems, Inc. All rights reserved. 7

8 5.4 Group lifecycle management Hitachi ID Identity Manager can manage groups as well as accounts on target systems. This includes: Create new group. Assign/revoke members. Modify group owners, description and meta data. Manage parent/child relationships. Rename/move (change CN or OU) All change requests, applied to identities, accounts or groups flow through workflow: Hidden and calculated elements. Validation and policy checking. Policy-based approvals. Change history. Group memberships and role assignments can be: Requested, subject to approval, review and revocation. Calculated, based on identity attributes and other groups. Scheduled with a start and end date. A dedicated UI is provided for group members and owners to make changes. 5.5 Monitoring systems of record Any target system can function as a system of record (SoR). Examples: HR apps, SQL databases, CSV files,... Hitachi ID Identity Manager can monitor multiple SoR s: Multinationals: regional HR systems. Colleges: students vs. faculty/staff. Map attributes to user profiles and prioritize. Automatically submit access requests in response to detected changes. Users can submit pre-emptive or corrective requests: New hire not yet in HR. HR data is wrong. Override SoR data until HR updates it. Request portal handles users who never appear in SoRs: Contractors, partners, etc Hitachi ID Systems, Inc. All rights reserved. 8

9 5.6 Requester usability Users rarely know where or how to request access! Windows shell extension, SharePoint error page: Intercept "Access Denied" errors. Navigate user to appropriate request URL. Compare users: Compare entitlements between the intended recipient and a reference user. Select entitlements from the variance. Search for entitlements: Keywords, description, metadata/tags. Relationship between requester and recipient: What recipients can the requester see? What identity attributes are visible? What kinds of requests are available? 5.7 Robust, policy-driven workflow Workflow invites stake-holders to participate in processes: Approve or reject a request. Review entitlements and recertify or remediate. Fulfill an approved request. Extensible. e.g., audit cases. Stake-holders are invited based on policy: No flow-charts or diagrams required. Process is simple, transparent and secure. Routing may be based on relationships, resource ownership, risk. The process is robust, even when people aren t: Invite N participants, accept response from M (M<N). Simultaneous invitations by default (sequential made sense for paper forms). Automatically send reminders. Escalate (e.g., to manager) if unresponsive. Check out-of-office message, pre-emptively escalate. Accessible from smart phone, not just PC Hitachi ID Systems, Inc. All rights reserved. 9

10 5.8 Reports, dashboards and analytics Over 150 reports built in: Many include multiple modes (e.g,. dormant vs. orphan accounts). Identities, entitlements, history, system operation, trends, etc. Easy to add custom reports. Many dashboards included as well. Run interactively or schedule (once, recurring). Deliver output (HTML, CSV, PDF): Interactively. In s. Drop files on UNC shares. Stream results via web services. Actionable analytics: Feedback from reports to requests. Automated remediation. Database is normalized, documented can use 3rd party tools too. 6 Recorded Demos 6.1 Access request (new contractor) Animation:../../pics/camtasia/v10/hiim-onboarding-contractor-original-resolution.mp4 6.2 Create group Animation:../../pics/camtasia/suite11/create-group.mp4 6.3 Access review by managers Animation:../../pics/camtasia/suite11/org-cert.mp4 6.4 Intercept Access Denied Dialogs Animation:../../pics/camtasia/v10/higm-A-request-folder.mp Hitachi ID Systems, Inc. All rights reserved. 10

11 6.5 Compare user entitlements Animation:../../pics/camtasia/v10/hiim-model-after-ui.mp4 6.6 Mobile request approval Animation:../../pics/camtasia/v10/approve-request-group-membership-via-mobile-access-app-1.mp4 6.7 Actionable analytics: Disable orphan accounts Animation:../../pics/camtasia/v10/report2pdr-disable-orphan-accounts-1.mp4 7 Technology 7.1 Active-active architecture Native password change Password synch trigger systems SaaS apps AD, Unix, z/os, LDAP, iseries Validate pw z/os - local agent Mobile UI Mobile proxy Manage Cloud IVR server TCP/IP + AES VPN server Various protocols Secure native protocol HTTPS Reverse web proxy system Load balancers MS SQL databases Notifications and invitations Ticketing system Hitachi ID servers Tickets HR Hitachi ID servers Replication System of record Firewalls Managed endpoints with remote agent: AD, SQL, SAP, Notes, etc Data center A Data center B Remote data center Proxy server (if needed) Managed endpoints 2018 Hitachi ID Systems, Inc. All rights reserved. 11

12 7.2 Key architectural features BYOD enabled On premises and SaaS SaaS apps Cloud Replicated across data centers Horizontal scaling Load balanced TCP/IP + AES Various protocols Secure native protocol Reach across firewalls Data center A Data center B Remote data center HTTPS 7.3 Delivery options On-premises Hosted / SaaS What/where Conventional software; or Virtual appliance. Managed by customer IT; or managed by Hitachi ID remotely. Dedicated instance per customer. Minimum two servers, locations. Proxy server on-premises. Managed by Hitachi ID. Regular upgrades. Charges Software: License, annual maintenance. Virtual appliance: add OS, DB licenses. Managed service: add annual fee. Monthly per-user fee. Commitment for minimum quantity, duration Hitachi ID Systems, Inc. All rights reserved. 12

13 7.4 Internal architecture Multi-master, active-active out of the box. Built-in data replication between app nodes: Fault tolerant. Secure - encrypted. Reliable - queue and retry. App nodes need and should not be co-located. Native, 64-bit code: 2x faster than.net. 10x faster than Java. Stored procedures: For all data lookups, inserts. Fast, efficient. Eliminates client/server chatter. Modern crypto: AES-256, SSHA BYOD access to on-premises IAM system The challenge Users want access on their phones. Phone on the Internet, IAM on-prem. Don t want attackers probing IAM from Internet. Hitachi ID Mobile Access Install + activate ios, Android app. Proxy service on DMZ or cloud. IAM, phone both call the proxy - no firewall changes. IAM not visible on Internet. Internet Personal device Firewall Firewall IAM server (2) HTTPS request: Includes userid, deviceid Outbound connections only DMZ (1) Worker thread: Give me an HTTP request Private corporate network Cloud proxy (3) Message passing system 2018 Hitachi ID Systems, Inc. All rights reserved. 13

14 7.6 Included connectors Directories: Databases: Server OS X86/IA64: Server OS Unix: Server OS Mainframe: Active Directory and Azure AD; any LDAP; NIS/NIS+ and edirectory. Oracle; SAP ASE and HANA; SQL Server; DB2/UDB; Hyperion; Caché; MySQL; OLAP and ODBC. Windows: NT thru 2016; Linux and *BSD. Solaris, AIX and HP-UX. RAC/F, ACF/2 and TopSecret. Server OS Midrange: ERP, CRM and other apps: Messaging & collaboration: Smart cards and 2FA: Access managers / SSO: iseries (OS400); OpenVMS and HPE/Tandem NonStop. Oracle EBS; SAP ECC and R/3; JD Edwards; PeopleSoft; Salesforce.com; Concur; Business Objects and Epic. Microsoft Exchange, Lync and Office 365; Lotus Notes/Domino; Google Apps; Cisco WebEx, Call Manager and Unity. Any RADIUS service or SAML IdP; Duo Security; RSA SecurID; SafeWord; Vasco; ActivIdentity and Schlumberger. CA SiteMinder; IBM Security Access Manager; Oracle AM; RSA Access Manager and Imprivata OneSign. Help desk / ITSM: PC filesystem encryption: Server health monitoring: HR / HCM: Extensible / scriptable: ServiceNow; BMC Remedy, RemedyForce and Footprints; JIRA; HPE Service Manager; CA Service Desk; Axios Assyst; Ivanti HEAT; Symantec Altiris; Track-It!; MS SCS Manager and Cherwell. Microsoft BitLocker; McAfee; Symantec Endpoint Encryption and PGP; CheckPoint and Sophos SafeGuard. HP ilo, Dell DRAC and IBM RSA. WorkDay; PeopleSoft HR; SAP HCM and SuccessFactors. Hypervisors and IaaS: Mobile management: Network devices: Filesystems and content: SIEM: AWS; vsphere and ESXi. Management & inventory: Qualys; McAfee epo and MVM; Cisco ACS; ServiceNow ITAM; HP UCMDB; Hitachi HiTrack. BlackBerry Enterprise Server and MobileIron. 7.7 Rapid integration with custom apps Cisco IOS PIX and ASA; Juniper JunOS and ScreenOS; F5 BigIP; HP Procurve; Brocade Fabric OS and CheckPoint SecurePlatform. Windows/CIFS/DFS; SharePoint; Samba; Hitachi Content Platform and HCP Anywhere; Box.com and Twitter. CSV files; SCIM; SSH; Telnet/TN3270/TN5250; HTTP(S); SQL; LDAP; PowerShell and Python. Splunk; ArcSight; RSA Envision and QRadar. Any SIEM supporting SYSLOG or Windows events. Hitachi ID Identity Manager easily integrates with custom, vertical and hosted applications using flexible agents. Each flexible agent connects to a class of applications: API bindings (C, C++, Java, COM, ActiveX, MQ Series). Telnet / TN3270 / TN5250 / sessions with TLS or SSL. SSH sessions. HTTP(S) administrative interfaces. Web services. Win32 and Unix command-line administration programs. SQL scripts. Custom LDAP attributes. Integration takes a few hours to a few days. Fixed cost service available from Hitachi ID. 8 Implementation 2018 Hitachi ID Systems, Inc. All rights reserved. 14

15 8.1 Hitachi ID professional services Hitachi ID offers a complete range of services relating to Hitachi ID Identity Manager, including: Needs analysis and solution design. Fixed price system deployment. Project planning. Roll-out management, including maximizing user adoption. Ongoing system monitoring. Training. Services are based on extensive experience with the Hitachi ID solution delivery process. The Hitachi ID professional services team is highly technical and have years of experience deploying IAM solutions. Hitachi ID partners with integrators that also offer business process and system design services to mutual customers. All implementation services are fixed price: Solution design. Statement of work. 8.2 ID Express Before reference implementations: Every implementation starts from scratch. Some code reuse, in the form of libraries. Even simple business processes have complex boundary conditions: Onboarding: initial passwords, blocking rehires. Termination: scheduled vs. immediate, warnings, cleanup. Transfers: move mailboxes and homedirs, trigger recertification. Complex processes often scripted. Delay, cost, risk. With Hitachi ID Identity Express: Start with a fully configured system. Handles all the basic user lifecycle processes out of the box. Basic integrations pre-configured (HR, AD, Exchange, Windows). Implementation means "adjust as required" not "build from scratch." Configuration is fully data driven (no scripts). Fast, efficient, reliable Hitachi ID Systems, Inc. All rights reserved. 15

16 8.3 ID Express - Corporate: details Integrations: SQL-based HR SoR. AD domain Exchange domain (mailboxes) Windows filesystem (homedirs) Entitlements: Login IDs. Group memberships. Roles. User communities: Employees. Contractors/other. Configuration: Based on user classes, rules tables and lookup tables. Near-zero script logic. Automation: Onboard/deactivate based on SoR. Identity attribute propagation. Self-service: Password, security question management. Update to contact info. Request for application, share, folder access. Delegated admin: Same as self-service, plus recert. Approval workflows: IT security (global rights). HR/managers (approve for each-other). Recertification: Scheduled. Ad-hoc. 8.4 Services impact of ID Express 1 Initial planning (5:5) Document old processes (30:4) Basic integrations (5:5) Test, debug adjust (30:10) Pilot test, adjust (20:15) Test, debug, fix (15:15) Test in prod, feedback, fixes (5:5) Implement new processes (30:5) Production migration (2:2) Design new processes (30:5) Deploy software (2:2) Implement new processes (30:5) Production migration (2:2) Advanced integrations (30:30) Production migration (2:2) Get feedback (15:5) Test, debug, adjust (15:5) Reset, adjust (10:10) Documentation (5:5) Custom implementation days 9 Differentiation 2018 Hitachi ID Systems, Inc. All rights reserved. 16

17 9.1 HiIM differentiation (1/3) Feature Details Competitors Hitachi ID Identity Express Pre-configured processes, policies. Full implementation or menu of components. Rich processes. Faster deployment. Low implementation risk. Slow, risky deployment. Never get around to J/M/L process automation. Requester usability Intercept "access denied" errors. Compare entitlements of recipient, model users. Usability aid for requesters. Hard to find request portal. Users don t know how to request access. Low user adoption. Reduced ROI. SoD actually works Hierarchy of roles, groups. Roles can contain groups, more roles. Groups can contain other groups. SoD defined at one level, violation may happen at another. Hitachi ID Identity Manager reliably detects, prevents violations. Fail to detect some violations. Users can bypass controls. False sense of security. Audit failures. Regulatory risk Hitachi ID Systems, Inc. All rights reserved. 17

18 9.2 HiIM differentiation (2/3) Feature Details Competitors Active-active architecture Multiple servers. Load balanced. Geographically distributed. No single point of failure. Scalable. Single points of failure. Costly to scale. Slow to recover from disasters. Smart phone access Android and ios apps. Cloud-hosted proxy. No public URL. Approvals, 2FA, contact download, etc. Require a public URL. Less secure / rarely permitted. No viable BYOD strategy. Impacts security, approval SLA. Actionable analytics Link report output to request input. Automated remediation. Immediate or scheduled. No coding. Fewer reports, analytics. No automated remediation Hitachi ID Systems, Inc. All rights reserved. 18

19 9.3 HiIM differentiation (3/3) Feature Details Competitors Group lifecycle management Included. Absent from most competitors. Governance, provisioning in one product Governance: requests, approvals, certification, SoD, RBAC, analytics. Provisioning: connectors, J/M/L process automation. Single, integrated solution. Some focus on governance (no remediation, no J/M/L process automation). Others focus on provisioning (no certification, limited analytics). Higher total cost. Integration risk. Policies built on relationships Relationships drive all policies in Hitachi ID Identity Manager. Who can a user search for? What data is visible? What changes are requestable? Who will be asked to approve? Escalation path? Hierarchical access controls. Script code for exceptions. Costly, risky. Hard to configure, maintain Hitachi ID Systems, Inc. All rights reserved. 19

20 10 Summary An integrated solution for managing identities and entitlements: Automation: onboarding, deactivation, detect out-of-band changes. Manage identities, accounts, groups and roles. Self-service: profile updates, access requests. Governance: certification, authorization workflow, RBAC, SoD, analytics. Automatically manage identities, entitlements: 120 bidirectional connectors. Other integrations: filesystem, collaboration, SIEM, incident management. Rapid deployment: pre-configured Hitachi ID Identity Express. Security, lower cost, faster service. Learn more at Hitachi-ID.com/Identity-Manager 500, Street SE, Calgary AB Canada T2G 2J3 Tel: Fax: hitachi-id.com Date: File: PRCS:pres